Member Avatar for RogerLacroix
RogerLacroix 0 Newbie Poster

A little help please,

Pre-amble:
-----------
A large mid-west US utility is using RedHat Linux and eDirectory successfully. The setup is RedHat 7.2 and openldap-clients-2.0.27-2.7.3 (they are not running a Novell Client on the Linux servers). They have it setup to send the password in clear-text. They can successfully log onto the box using UserIDs & passwords that are in eDirectory

On the RH Linux server they are running WebSphere MQ v5.3 and they decided to purchase Capitalware's security product called: MQ Authenticate User Security Exit (MQAUSX). MQAUSX fully authenticates a user who is accessing a WebSphere MQ resource. It verifies the User's UserID and Password against the server's native OS UserID/password management system.

MQAUSX follows the standard Linux security principles of (1) using getspnam() function to retrieve the 'spwd' structure information, (2) use crypt to encrypt the incoming user's password and (3) compare the 2 encrypted passwords. (Yes, the executable has the user ownership as root and the user sticky bit is set.)


Problem:
---------
If the UserID and password are local to the RH Linux box then everything works fine (as expected and well tested).

But if the UserID and password are in eDirectory then the password returned by getspnam() is always 'x' (a single character 'x'). I have tried getpwnam(),getspent() and getpwent() functions but all of them return a password of 'x'.


Question:
----------
On the eDirectory server, maybe the RH Linux server is not 'trusted' to lookup the password?? Or maybe the application is not 'trusted' to lookup the password??

The reason I think it is a 'trusted' issue is that getspnam() and the other functions return successfully but the password field is filled with an 'x'. Here's a discussion of Linux, PAM, LDAP and the password field containing an 'x':
https://www.redhat.com/archives/pam-list/2000-August/msg00045.html

Plus it actually states it in the RFC 2307. At the very bottom of section 5.3, it talks about DUA (directory user agent) returning an 'x':
http://www.faqs.org/rfcs/rfc2307.html

Help Please:
-------------
So, I just need to figure out what parameter / setting / conf / property file that will allow the ldap client (DUA) to do the password lookup.
Any and all help is much appreciated.

Regards,
Roger Lacroix
Capitalware Inc.
http://www.capitalware.biz

  • 1 Contributor
  • 0 Replies
  • 63 Views
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.